Posted at 5:00 am
One reader, Jean-Francois, was horrified to see “non-existent account” displayed in red when he tried to open an online session.
Tried again, same message popped up. Jean-Francois may not have seen the flash in front of him in his life, but in a flash, he mentally saw all the places where proof of the account’s existence could be retrieved.
On the phone, an advisor from a financial institution told him it was a computer failure. To his great relief, Jean-Francois was able to find his online account and all of his investment data a few hours later.
In a world where everything is going virtual, where the risk of cyberattacks is skyrocketing, where Interac service is breaking down due to Rogers, should we keep copies of our statements somewhere other than the banking institution’s site?
Do we need to keep copies?
“This story of digital shift is good, but we need to own our data. It’s something you don’t get because it’s so easy to go to cloud computing and Google Drive”, raised Alexandre Fournier, founder of Crisis & Resilience, a firm specializing in cyber crises and business continuity management, in an interview.
“If it’s cut off from the outside, whether it’s financial institutions, access to emails or the Microsoft environment, you have to have this possibility of autonomy,” he continues.
The Financial Consumer Agency of Canada (FCAC), which has a mandate to strengthen Canadians’ financial literacy and monitor bank compliance, says it’s good practice to keep copies of bank statements and other financial documents. “Whether that’s through hard or electronic copies,” explains ACFC’s Leonie Laflamme-Savoie.
“Users can choose the method that suits them according to their preferences and technical skills,” she said.
Regardless of the method, the most important thing is to ensure that these documents are stored in a safe place, safe from fraudsters.
Leonie LaFlamme-Savoie, ACFC
Consulted on this matter, financial institutions suggest that customers do not need to retain copies of their statements. However, “it’s good practice to keep a copy of member/client account statements and investment statements regardless of the medium,” says Movement Desjardins spokeswoman Chantal Corbeil.
Alexandre Guay of the National Bank said customers who wish to do so can save electronic copies.
At BMO, advisors recommend checking your bank statement, paper or virtual, regularly to review the day’s banking transactions. “It is important to be aware of your daily transactions. It saves us a lot of hassle,” said Marc Dionne, regional vice-president of retail banking at BMO Bank of Montreal.
“3-2” method
Specialist Alexandre Fournier recommends making three copies in two different media: on the company’s website, on a computer and on paper. or on the organization’s website, on a computer and on a USB key or external hard drive. Ideally, he stressed, the key would not be stored next to the computer.
Copy must be outsourced. If your house burns down and you lose access to your laptop or Google Drive, you’ll have a third copy of the physical key so you can recover your data.
Alexandre Fournier, founder of Crisis & Resilience
“When you move to the cloud, you have no guarantee that you will be able to access your data overnight due to an involuntary or voluntary situation. »
Can our data disappear forever?
All experts consulted agree that there is zero risk. But they say financial institutions have to follow stricter rules than SMEs and insurance companies.
It is possible for theft, manual error, mishandling or someone inside to delete specific customer data and it does not include all data.
Patrick R. Matthew, computer security specialist and co-founder of Hackfest
“It is not impossible for a financial institution’s client to temporarily lose access to their data (for example online), supports Pierre-Luc Pomerly, partner at VIDOCQ, a risk management firm. However, it should be understood that the customer’s data would not have been lost if all the mechanisms were in place. These are due to an incident. Access may be temporarily unavailable, but the Financial Institution will make every effort to restore service and access to data as soon as possible. »
“Banks are highly secure institutions, well-recognized for their advanced cyber security and data protection practices,” said Matthew Labreche of the Canadian Bankers Association.
In July 2022, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-13, which outlines its expectations in terms of risk management related to technology and cyber risk.
The Bureau is currently conducting a public consultation and awaiting public input on risk management specifically for third parties to consider transferring data from one cloud service provider to another. The consultation period ends on September 30.
Press Seven financial institutions were contacted. Desjardins only wanted to explain that its customers’ data does not disappear overnight, as it is stored in their secure centers and in multiple locations externally.
“We have backup mechanisms that cover disaster scenarios and aim to minimize the impact of a major outage,” says Chantal Corbeil, A spokesman for Desjardins Group, which has invested $300 million in its security office by 2021, employing 1,100 professionals.
This is part of backup management best practice.
According to security expert Patrick R. Mathieu, Desjardins and RBC are among the most advanced in technical security testing. The level of manufacturing is not the same from one company to another, he observes.
VIDOCQ’s Pierre-Luc Pomerly says financial institutions have several mechanisms in place to mitigate negative impacts on the accessibility of the organization’s data, in the event of a cyberattack, data destruction and natural disasters. Backups take place at different physical sites in different regions, he explained, adding that while upstream, teams create simulations to deal with different types of incidents and restore maximum service as quickly as possible.
In a more serious case, another problem may arise. “Physically, taking the example of Ukraine where banks were destroyed, employees should be prepared to rebuild data from the bank rather than their family, even if a second backup location exists and is tested,” concludes Patrick R. Matthew.